Standard Security Policy flagging too many emails as "Potential Phishing"

Hey , thanks for your message!

Firstly, it's great to hear you're using presets, they are an awesome way of ensuring you're up to date with the latest security recommendations, I'm sorry to hear you're finding false positives (FPs) but we can for sure get to the bottom of it.

Secondly, have you tried doing admin submissions for the emails? this will do several things, it will tell us we got our verdict wrong, It will also let you know the results of our analysis. - you will also get the ability during the process to add the part of the message which caused it to be blocked (URL, Sender, Attachment, Spoof) to our Tenant Allow/Block List so it's overridden in the future while we work on getting the reason for the issue fixed.

It's also important to note that sometimes, emails are sent in a way which is non-compliant, so actually instead of overriding decisions, the correct course of action is to fix the underlying issue. - for the examples you have, could you let me know the detection technology which lead to the phish verdict and I may be able to help point you in the right direction. (we also document them all here at aka.ms/emailtech)

Thanks

Ben.